Google Duo has been upgraded to include both video calling and meeting capabilities on mobile and web. Once fully rolled out, your Duo app and icon will also update to Google Meet . When communicating in the new Meet app, you can use either:
- 1:1 and group video calling: The classic Duo end-to-end encrypted experience that involves ringing a number or group directly. Your call will have a lock icon and an in-call watermark confirming that it is end-to-end encrypted.
- Meetings: The ability to create or join a cloud-encrypted Google Meet meeting with a link when you're ready.
Available features and encryption methods are different between video calling and meetings.
To make sure that your data is safe, the new Meet app uses multiple encryption methods.
- For 1:1 and group video calling: End-to-end encryption is used to mask data with a code that only you and the other callers can access. It is a standard security method that protects communications data and is built into every Duo 1:1 and group video call so you don't need to turn it on yourself, and it can't be turned off.
- For Meet meetings: Cloud encryption is used to encrypt your meeting data in transit and stored information in Google's data centres instead of end-to-end encryption.
Tip: To add an additional layer of protection, organisations can also use client-side encryption to have full control of their encryption keys. Learn more about client-side encryption.How end-to-end encryption and cloud encryption differ
End-to-end encryption for 1:1 and group video calling:
- Is a standard security method that protects communications data.
- Is on by default and can't be turned off.
- Makes sure that only people in a call know what's said or shown.
- Doesn't allow Google to view, hear or save the audio and video from your call.
- Masks the call data with a code that requires a key to decode.
- Encryption keys stay on the callers' devices for 1:1 and group calls.
You can learn more in Duo's end-to-end encryption technical paper.
Cloud encryption for meetings:
- By default, meeting data is encrypted in transit between the client and Google data centres for any meeting taking place in Google Duo or Google Meet.
- Google servers can decode your meeting data and will need to do so to enable certain meeting features such as captions, background effects and the ability to record meetings.
- By default, meeting recordings enabled by a meeting participant are stored in Google Drive and encrypted.
- Meeting encryption adheres to:
- Internet Engineering Task Force security standards for Datagram Transport Layer Security (DTLS)
- Secure Real-time Transport Protocol (SRTP)
Learn about call and meeting encryption in the new Meet app.
Shared secret keys stay on the callers' devices
Your device decrypts your call's audio and video with a shared secret key. This key is created on your device and your contact's device and is deleted after the call ends. It's not shared with any server.
What's needed for a shared key
To calculate the shared key, each device needs:
- A private key, which is saved only on your device
- A public key, which is saved on Duo's servers
The first time that you set up or link your calling account in Meet, your device creates several private/public key pairs. This way, you're ready for several end-to-end encrypted calls.
How shared secret keys are created
- The devices exchange their public keys but don't reveal their private keys.
- Next, each device uses its private key and the public key from the other device to calculate the shared secret key. They use a mathematical process called cryptography.
Google servers can't decode your call
When you call someone else on Duo, your call's audio and video typically go directly from your device to their device. This connection is called peer-to-peer. The call doesn't go through a Google server.
However, sometimes a peer-to-peer connection isn't available, like if a network setting blocks it. In this case, a Google relay server passes a call's audio and video between your device and the device that you called. The server can't decode your call because it doesn't have the shared secret key.
Group calls stay private on the server
Group calls are also end-to-end encrypted. To make sure that group calls are high quality, they go through a Google server.
That server routes everyone's call audio and video to others in the group. To route calls, the server uses info about your call, like which device the video is from. The server doesn't have access to the end-to-end encryption keys and can't decrypt the media.
Group calls use multiple keys
To be part of a call that goes through a server, each group member's device automatically uses:
- A sender key to encrypt the call's audio and video. When someone starts a group call, each device exchanges this key with the other devices.
- A client-to-server key to encrypt info about the call. Each device exchanges this key with the server.
What the keys do
The keys work to:
- Encrypt your call's audio and video so that only other people in the group can hear and see it.
- Decode the audio, video and info from other people in the group call.
Keys can change during group calls
Everyone's devices exchange new sender keys if either:
- Someone leaves a group.
- A person who wasn't part of the group gets added to it during the call.
If a person in the group doesn't immediately join the group call, their device can still use everyone's sender keys. This way, that person can join the call at any time while it's live.
When the group call ends, the keys are deleted.